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19. (canceled) 

20. (canceled) 

2 1 . (new) An apparatus for determining secure endpoints of tunnels in a network that 
uses Internet security protocol, comprising: 

a network interface that is coupled to the network for receiving one or more 

packet flows therefrom; 
a processor; 

one or more stored sequences of instructions which, when executed by the 
processor, cause the processor to carry out the steps of: 
sending from a first network device a first description of network traffic 

that is to be protected, wherein the first description comprises a 

first set of network addresses; 
receiving, at the first network device and from a second network device, a 

second description of network traffic that is to be protected, 

wherein the second description comprises a second set of network 

addresses; 

creating and storing a third description of network traffic that is to be 
protected based on determining a logical intersection of the first 
description of network traffic and the second description of 
network traffic, wherein the step of creating and storing a third 
description further comprises the step of determining a largest 
common subset between the first set of network addresses and the 
second set of network addresses; and 
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establishing the secure connection between the first network device and 
the second network device based on the third description of 
network traffic. 

22. (new) The apparatus of claim 21. wherein the first description comprises a first 
protocol and the second description comprises a second protocol, and further comprising 
sequences of instructions which, when executed by the processor; cause the processor to 
perform the steps of determining a third protocol for the third description based on 
determining a logical intersection of the first protocol and the second protocol. 

23. (new) The apparatus of claim 21, wherein the sequences of instructions that cause 
the processor to perform determining the third protocol comprise sequences of 
instructions which, when executed by the processor, cause the processor to perform: 

determining that the third protocol is IP when both the first description and the 

second description identify IP as a protocol; 
determining that the third protocol is a specific protocol when the first description 

identifies IP and the second description identifies a non-IP protocol; 
determining that the third protocol is a either an IP or non-IP protocol when both 

the first description and the second description identify the same protocol 

of either an IP or non-IP protocol. 

24. (new) The apparatus of claim 21, wherein the first description comprises a packet 
summary value that summarizes packets in the network traffic to be protected, and 
wherein the second description is generated by the second network device based on 
comparing the packet summary value to one or more access control lists that are managed 
by the second network device. 
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25. (new) The apparatus of claim 21, wherein the first description of network traffic 
comprises a packet summary that includes: 

IP protocol information that is associated with the network traffic emanating from 
a source end host, wherein the source end host is associated with the first 
network device; 

port information that is associated with the source end host; 

port information that is associated with a destination end host, wherein the 
destination end host is associated with the second network device; 

an IP address that is associated with the source end host; 

an IP address that is associated with the destination end host; and 

a proxy address of the source end host; and 

wherein the second description is generated by the second network device based 
on comparing the packet summary to one or more access control lists that 
are managed by the second network device. 

26. (new) The apparatus of claim 21 , further comprising sequences of instructions 
which, when executed by the processor, cause the processor to perform: 

determining, at the second network device, whether the packet summary matches 
a security policy information that is associated with the second network 
device; 

wherein the packet summary is associated with the first description of network 
traffic. 

27. (new) The apparatus of claim 21, wherein the second description of network 
traffic comprises a response that includes: 
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IP protocol information that is associated with the network traffic emanating from 
a destination end host, wherein the destination end host is associated with 
the second network device; 
an IP address that is associated with the second network device; and 
proxy addresses that are associated with a destination end host. 

28. (new) The apparatus of claim 27, wherein the proxy addresses that are associated 
with the destination end host include a first subnet that includes the destination end host 
and a second subnet that includes a source end host, wherein the source end host is 
associated with the first network device. 

29. (new) The apparatus of claim 21, wherein the sequences of instructions that cause 
the processor to perform deriving a third description of network traffic further comprise 
sequences of instructions which, when executed by the processor, cause the processor to 
perform: 

determining based on the first description of network traffic and the second 

description of network traffic a first intersection proxy comprising 

protocol information; 
determining based on the first description of network traffic and the second 

description of network traffic a second intersection proxy comprising port 

information; and 

determining based on the first description of network traffic and the second 

description of network traffic a third intersection proxy comprising proxy 
address information. 
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30. (new) The apparatus of claim 21, further comprising sequences of instructions 
which, when executed by the processor, cause the processor to perform the steps of: 

receiving at the first network device an IP packet from a source end host that is 

associated with the first network device; 
verifying that the IP packet falls within the third description of network traffic. 

31 . (new) The apparatus of claim 21, wherein the first description comprises a first 
port value and the second description comprises a second port value, and further 
comprising the steps of determining a third port value for the third description based on 
determining a logical intersection of the first port value and the second port value. 

32. (new) The apparatus of claim 31, wherein the sequences of instructions that cause 
the processor to perform determining the third port value comprises sequences of 
instructions which, when executed by the processor, cause the processor to perform the 
steps of: 

determining that the third port value is a specific port value when both the first 
description and the second description identify the same specific port 
value; 

determining that the third port value is a specific port value when one of the first 
description and the second description identify the specific port value. 

33. (new) The apparatus of claim 21, wherein the network addresses comprise a 
network address and a network mask. 

34. (new) An apparatus for determining secure endpoints of tunnels in a network that 
uses Internet security protocol, comprising: 
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means for sending from a first network device a first description of network 

traffic that is to be protected, wherein the first description comprises a first 
set of network addresses; 

means for receiving, at the first network device and from a second network 
device, a second description of network traffic that is to be protected, 
wherein the second description comprises a second set of network 
addresses; 

means for creating and storing a third description of network traffic that is to be 
protected based on determining a logical intersection of the first 
description of network traffic and the second description of network 
traffic, wherein the step of creating and storing a third description further 
comprises the step of determining a largest common subset between the 
first set of network addresses and the second set of network addresses; and 

means for establishing the secure connection between the first network device and 
the second network device based on the third description of network 
traffic. 

35. (new) The apparatus of claim 34, wherein the network addresses comprise a 
network address and a network mask. 

36. (new) The apparatus of claim 34, wherein the first description comprises a first 
protocol and the second description comprises a second protocol, and further comprising 
sequences of instructions which, when executed by the processor, cause the processor to 
perform the steps of determining a third protocol for the third description based on 
determining a logical intersection of the first protocol and the second protocol. 
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37. (new) The apparatus of claim 34, wherein the sequences of instructions that cause 
the processor to perform determining the third protocol comprise sequences of 
instructions which, when executed by the processor, cause the processor to perform: 

determining that the third protocol is IP when both the first description and the 

second description identify IP as a protocol; 
determining that the third protocol is a specific protocol when the first description 

identifies IP and the second description identifies a non-IP protocol; 
determining that the third protocol is a either an IP or non-IP protocol when both 

the first description and the second description identify the same protocol 

of either an IP or non-IP protocol, 

38. (new) The apparatus of claim 34, wherein the first description comprises a packet 
summary value that summarizes packets in the network traffic to be protected, and 
wherein the second description is generated by the second network device based on 
comparing the packet summary value to one or more access control lists that are managed 
by the second network device. 

39. (new) The apparatus of claim 34, wherein the first description of network traffic 
comprises a packet summary that includes: 

IP protocol information that is associated with the network traffic emanating from 
a source end host, wherein the source end host is associated with the first 
network device; 

port information that is associated with the source end host; 

port information that is associated with a destination end host, wherein the 
destination end host is associated with the second network device; 
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an IP address that is associated with the source end host; 

an IP address that is associated with the destination end host; and 

a proxy address of the source end host; and 

wherein the second description is generated by the second network device based 
on comparing the packet summary to one or more access control lists that 
are managed by the second network device. 

40. (new) The apparatus of claim 34, further comprising sequences of instructions 
which, when executed by the processor, cause the processor to perform: 

determining, at the second network device, whether the packet summary matches 
a security policy information that is associated with the second network 
device; 

wherein the packet summary is associated with the first description of network 
traffic. 

41 . (new) A method for determining secure endpoints of tunnels in a network that 
uses Internet security protocol, the method comprising the computer-implemented steps 
of: 

receiving, at a second network device and from a first network device, a first 
description of network traffic that is to be protected, wherein the first 
description comprises a first set of network addresses; 

in response to receiving the first description of network traffic, creating and 

sending to the first network device a second description of network traffic 
that is to be protected, wherein the second description comprises a second 
set of network addresses; 
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receiving at the second network device a third description of network traffic that 
is to be protected from the first network device based on a logical 
intersection of the first description of network traffic and the second 
description of network traffic, wherein the third description comprises a 
largest common subset between the first set of network addresses and the 
second set of network addresses; and 
establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic. 
42. (new) A method for determining secure endpoints of tunnels in a network that 
uses Internet security protocol, the method comprising the computer-implemented steps 
of: 

sending from a first network device a first description of network traffic that is to 
be protected, wherein the first description comprises a first set of network 
addresses; 

receiving, at the first network device and from a second network device, a second 
description of network traffic that is to be protected, wherein the second 
description comprises a second set of network addresses; 

creating and storing a third description of network traffic that is to be protected 
based on determining a logical intersection of the first description of 
network traffic and the second description of network traffic, wherein the 
step of creating and storing a third description further comprises the step 
of determining a largest common subset between the first set of network 
addresses and the second set of network addresses; and 
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establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic. 

43. (new) A computer-readable medium carrying one or more sequences of 
instructions for determining secure endpoints of tunnels in a network that uses 
Internet security protocol, which instructions, when executed by one or more 
processors, cause the one or more processors to carry out the steps of: 

sending from a first network device a first description of network traffic that is to 
be protected, wherein the first description comprises a first set of network 
addresses; 

receiving, at the first network device and from a second network device, a second 
description of network traffic that is to be protected, wherein the second 
description comprises a second set of network addresses; 

creating and storing a third description of network traffic that is to be protected 
based on determining a logical intersection of the first description of 
network traffic and the second description of network traffic, wherein the 
step of creating and storing a third description further comprises the step 
of determining a largest common subset between the first set of network 
addresses and the second set of network addresses; and 

establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic. 

44. (new) A computer-readable medium carrying one or more sequences of 
instructions for establishing a secure connection between two network devices, 
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which instructions, when executed by one or more processors, cause the one or 
more processors to carry out the steps of: 

receiving, at a second network device and from a first network device, a first 
description of network traffic that is to be protected, wherein the first 
description comprises a first set of network addresses; 

in response to receiving the first description of network traffic, creating and 

sending to the first network device a second description of network traffic 
that is to be protected, wherein the second description comprises a second 
set of network addresses; 

receiving at the second network device a third description of network traffic that 
is to be protected from the first network device based on a logical 
intersection of the first description of network traffic and the second 
description of network traffic, wherein the third description comprises a 
largest common subset between the first set of network addresses and the 
second set of network addresses; and 

establishing the secure connection between the first network device and the 

second network device based on the third description of network traffic. 
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